Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Stats Distint Count
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IRHM73
Motivator
03-16-2016
07:20 AM
Hi, I wonder whether someone may be able to help me please.
I'm using the query below to extract a piece of data.
index=main tags.transactionName=print-suppression
| eval Date=substr(generatedAt, 1, 10) | stats dc(Date) by Date
| eval verifiedButBounced=coalesce('detail.verifiedButBounced.count',0)
| eval pendingVerificationOfChangedEmail=coalesce('detail.pendingVerificationOfChangedEmail.count', 0)
| eval verifiedPendingVerificationOfChangedEmailAndBounced=coalesce('detail.verifiedPendingVerificationOfChangedEmailAndBounced.count', 0)
| eval verifiedButBouncedPendingVerificationOfChangedEmail=coalesce('detail.verifiedButBouncedPendingVerificationOfChangedEmail.count', 0)
| eval verifiedButBouncedPendingVerificationOfChangedEmailAndBounced=coalesce('detail.verifiedButBouncedPendingVerificationOfChangedEmailAndBounced.count', 0)
| eval verifiedNotBounced=coalesce('detail.verifiedNotBounced.count', 0)
| eval Verified=verifiedButBounced + pendingVerificationOfChangedEmail + verifiedPendingVerificationOfChangedEmailAndBounced + verifiedButBouncedPendingVerificationOfChangedEmail + verifiedButBouncedPendingVerificationOfChangedEmailAndBounced + verifiedNotBounced
| rename detail.totalOfAllOptedIn.count AS Opted_In, detail.optedOut.count AS Opted_Out
| table Date, Opted_In, Opted_Out, Verified, detail.verifiedButBounced.count, detail.verifiedNotBounced.count, detail.pendingVerificationOfChangedEmail
The problem I have is that I want eliminate duplicate dates. Now I know that I can use 'dedup' which successfully removes the duplicates but I've been reading that stats dc or 'distinct count' is more efficient, but I'm a little unsure about how to incorporate this.
I just wondered whether someone could possibly look at this please and offer some guidance on where I should incorporate the 'stats dc' command.
Many thanks and kind regards
Chris
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IRHM73
Motivator
03-16-2016
08:24 AM
Hi all,
Just to let you know that I've continued to work on this and created a solution here:
index=main tags.transactionName=print-suppression
| eval Date=substr(generatedAt, 1, 10)
| eval verifiedButBounced=coalesce('detail.verifiedButBounced.count',0)
| eval pendingVerificationOfChangedEmail=coalesce('detail.pendingVerificationOfChangedEmail.count', 0)
| eval verifiedPendingVerificationOfChangedEmailAndBounced=coalesce('detail.verifiedPendingVerificationOfChangedEmailAndBounced.count', 0)
| eval verifiedButBouncedPendingVerificationOfChangedEmail=coalesce('detail.verifiedButBouncedPendingVerificationOfChangedEmail.count', 0)
| eval verifiedButBouncedPendingVerificationOfChangedEmailAndBounced=coalesce('detail.verifiedButBouncedPendingVerificationOfChangedEmailAndBounced.count', 0)
| eval verifiedNotBounced=coalesce('detail.verifiedNotBounced.count', 0)
| eval Verified=verifiedButBounced + pendingVerificationOfChangedEmail + verifiedPendingVerificationOfChangedEmailAndBounced + verifiedButBouncedPendingVerificationOfChangedEmail + verifiedButBouncedPendingVerificationOfChangedEmailAndBounced + verifiedNotBounced
| stats dc(Date) by Date, Verified, detail.totalOfAllOptedIn.count, detail.optedOut.count, detail.verifiedButBounced.count, detail.verifiedNotBounced.count, detail.pendingVerificationOfChangedEmail.count
| rename detail.totalOfAllOptedIn.count AS Opted_In, detail.optedOut.count AS Opted_Out
| table Date, Opted_In, Opted_Out, Verified, detail.verifiedButBounced.count, detail.verifiedNotBounced.count, detail.pendingVerificationOfChangedEmail.count
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IRHM73
Motivator
03-16-2016
08:24 AM
Hi all,
Just to let you know that I've continued to work on this and created a solution here:
index=main tags.transactionName=print-suppression
| eval Date=substr(generatedAt, 1, 10)
| eval verifiedButBounced=coalesce('detail.verifiedButBounced.count',0)
| eval pendingVerificationOfChangedEmail=coalesce('detail.pendingVerificationOfChangedEmail.count', 0)
| eval verifiedPendingVerificationOfChangedEmailAndBounced=coalesce('detail.verifiedPendingVerificationOfChangedEmailAndBounced.count', 0)
| eval verifiedButBouncedPendingVerificationOfChangedEmail=coalesce('detail.verifiedButBouncedPendingVerificationOfChangedEmail.count', 0)
| eval verifiedButBouncedPendingVerificationOfChangedEmailAndBounced=coalesce('detail.verifiedButBouncedPendingVerificationOfChangedEmailAndBounced.count', 0)
| eval verifiedNotBounced=coalesce('detail.verifiedNotBounced.count', 0)
| eval Verified=verifiedButBounced + pendingVerificationOfChangedEmail + verifiedPendingVerificationOfChangedEmailAndBounced + verifiedButBouncedPendingVerificationOfChangedEmail + verifiedButBouncedPendingVerificationOfChangedEmailAndBounced + verifiedNotBounced
| stats dc(Date) by Date, Verified, detail.totalOfAllOptedIn.count, detail.optedOut.count, detail.verifiedButBounced.count, detail.verifiedNotBounced.count, detail.pendingVerificationOfChangedEmail.count
| rename detail.totalOfAllOptedIn.count AS Opted_In, detail.optedOut.count AS Opted_Out
| table Date, Opted_In, Opted_Out, Verified, detail.verifiedButBounced.count, detail.verifiedNotBounced.count, detail.pendingVerificationOfChangedEmail.count
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alacercogitatus
SplunkTrust
03-16-2016
08:14 AM
You could do it at the tail end of that search.
<that_Search> | stats last(*) as * by Date
This will take the "last" of each value on each date, and output it. You can also use "first" to get the first event found.
Remove the |stats dc(Date) by Date, since that is probably interfering with the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IRHM73
Motivator
03-16-2016
08:26 AM
Hi, thank you for taking the time to reply to my post.
I did try the solution you kindly provided, but unfortunately it didn't return any results, but I have managed to put together a solution.
Many thanks and kind regards
Chris
Get Updates on the Splunk Community!
Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!
Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...
Introducing Edge Processor: Next Gen Data Transformation
We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...
Take the 2021 Splunk Career Survey for $50 in Amazon Cash
Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...
